Even the FBI says you need to patch this Atlassian Confluence bug right now

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warned Atlassian Confluence server users to patch their endpoints immediately. 

The warning was issued after new findings suggesting a recently discovered flaw - CVE-2023-22515 - is being actively exploited in low-complexity, highly damaging attacks that don’t require any victim interaction to be successful.

In a security advisory, the organizations said that hackers are using the flaw to gain access to systems and then continue active exploitation even post-patch. The flaw is deemed critical, with the three bodies expecting “widespread, continued exploitation due to ease of exploitation”. 

Privilege escalation flaw

Besides applying the patch with utmost urgency, users are also encouraged to “hunt for malicious activity” on their networks using the detection signatures and indicators of compromise (IoC) published in the advisory. “If a potential compromise is detected, organizations should apply the incident response recommendations,” the advisory concludes.

The three organizations are referring to a vulnerability tracked as CVE-2023-22515, a critical privilege escalation flaw found in Confluence Data Center and Server 8.0.0. Instances. 

Atlassian patched the flaw on October 4, urging users to immediately upgrade to versions that are not affected - 8.3.3 or later, 8.4.3 or later, 8.5.2 or later. Organizations that were unable to apply the patch immediately were advised to shut down the servers, or disconnect them from the global internet. 

In the meantime, a Chinese state-sponsored threat actor Storm-0062 was observed abusing it in attacks, BleepingComputer reported. The attacks were seemingly very limited, Greynoise added, but with proofs-of-concept being on the way, that might soon change for the worse. The publication added that previous similar campaigns involved Linux botnet malware, crypto miners, and ransomware attacks, hinting at the size of the problem.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.